packages with E: md5sum-mismatch in the archive (was: Re: mass bug filing about packages manipulating/deleting shipped files)

[Andreas Beckmann <debian@abeckmann.de>]

On 2012-09-18 09:30, Andreas Beckmann wrote:
> Just to give a short impression what we can find here:

> guile-1.6-dev_1.6.8-10.1
>   /usr/lib/libguile-ltdl.la
>   /usr/lib/libguile.la
>   /usr/lib/libguile-srfi-srfi-13-14-v-1.la
>   /usr/lib/libguile-srfi-srfi-4-v-1.la
>   /usr/lib/libguilereadline-v-12.la

Actually, we have lintian errors on the packages in the archive:

E: guile-1.6-libs: md5sum-mismatch usr/lib/libguile-srfi-srfi-4-v-1.la
E: guile-1.6-libs: md5sum-mismatch usr/lib/libguile-srfi-srfi-13-14-v-1.la
E: guile-1.6-libs: md5sum-mismatch usr/lib/libguilereadline-v-12.la
E: guile-1.6-dev: md5sum-mismatch usr/lib/libguile-ltdl.la
E: guile-1.6-dev: md5sum-mismatch usr/lib/libguile.la

I tried rebuilding guile-1.6 in a clean sid pbuilder chroot on amd64 
and could not reproduce the error. So a binNMU might be sufficient to 
fix this. And it's the md5sum that is wrong, the .la files don't change
after the rebuild.

But the more important question is: how can it happen that such broken 
packages enter the archive?

Shouldn't md5sum-mismatch be in ftp-master-auto-reject.profile?

Can someone do a lintian check for just this tag on the whole archive, 
all architectures, all releases? That's just *.deb on a full mirror :-)
And ports should be checked, too.

Andreas

sha256 sums from the bad .debs:
f6530f30619aa2451e88f3ea245824ff779d41e24cb7e3eeacd6b83c7dbfea00  /var/cache/apt/archives/guile-1.6-dev_1.6.8-10.1_amd64.deb
c023046e8ac1180643b42f598b2f0a0aa90e5be50f878fe69fae2d07b5815cb6  /var/cache/apt/archives/guile-1.6-libs_1.6.8-10.1_amd64.deb
22e8a4dc75c6b57bcfd8b0c365a48eb045b8f3317aa74cd00670c7af085f3acb  /var/cache/apt/archives/guile-1.6_1.6.8-10.1_amd64.deb